stable

realmd-0.17.1-11.fc41

FEDORA-2024-94daf8415d created by sbose a year ago for Fedora 41

Automatic update for realmd-0.17.1-11.fc41.

Changelog
* Thu Feb 29 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-11
- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-94daf8415d

This update was automatically created

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'passed'.

a year ago

This update has been submitted for stable by bodhi

a year ago
User Icon adamwill commented & provided feedback a year ago
karma

Agh. This seems to be broken, but it's not critical path, so openQA didn't catch it, but now it's causing tests of everything that is critical path to fail. SELinux is preventing realmd from doing lookups, at least LDAP but probably others too:

Mar 01 03:00:42 client005.test.openqa.fedoraproject.org audit[1126]: AVC avc:  denied  { nnp_transition } for  pid=1126 comm="(realmd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:realmd_t:s0 tclass=process2 permissive=0
Mar 01 03:00:42 client005.test.openqa.fedoraproject.org audit[1126]: AVC avc:  denied  { name_connect } for  pid=1126 comm="realmd" dest=389 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
User Icon sundaram commented a year ago

Hi Adam

I don't have a LDAP environment to reproduce this. Would it be feasible for you to help sort out which of the new options is breaking this?

User Icon adamwill commented a year ago

I can try, yeah, it'll be a bit slow though as it takes ~20 minutes on each attempt to find out if the test is gonna pass or not. For now https://bodhi.fedoraproject.org/updates/FEDORA-2024-ce079def87 reverts all the changes, to unblock other updates.

User Icon adamwill commented a year ago

Just going by the denials, my best guess is NoNewPrivileges for nnp_transition. For name_connect I'm not sure - google suggests that denial is for "When an application is connecting to a port", which is obviously something realmd needs to do, but I'm not sure which of the policies would be blocking it.

User Icon sbose commented a year ago

Hi,

please see my comments in https://src.fedoraproject.org/rpms/realmd/pull-request/12, I think it is related to NoNewPrivileges=yes.

bye, Sumit

User Icon adamwill commented a year ago

OK, well I'm testing a scratch build with NoNewPrivileges=no right now, so I guess we'll find out :)

User Icon adamwill commented a year ago

It looks like that scratch build passed the openQA tests, at least. It's possible all the other restrictions might still cause some kind of problem on paths openQA doesn't test (openQA tests enrolling to FreeIPA and AD realms both directly via realm join and via Cockpit, and running realm list from an enrolled client).

Please login to add feedback.

Metadata
Type
unspecified
Karma
-1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
0 days
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
approved
a year ago
Builds
1
realmd-0.17.1-11.fc41
realmd-0.17.1-11.fc41

Automated Test Results

Copyright © 2007-2025 Red Hat, Inc. and others.

Running bodhi-server 8.3.0^202504140743git8ca72e0 on bodhi-web-273-ppgd9.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy